Security researchers are reporting that Trojan applications that encrypt your files to hold for ransom are popping up on Android devices. Here's how to keep yourself safe, and what to do if disaster strikes.

This site may earn affiliate commissions from the links on this page. Terms of use.

In May, Bitdefender pointed us toward what might have been the first Android ransomware—that is, a malicious application that attempts to extort money from victims. Now, F-Secure tells SecurityWatch that a far more insidious ransomware has debuted on Android. Called Simplelocker, this Trojan encrypts your personal files and claims it will delete the keys necessary to decrypt them unless you pay up.

If this sounds familiar, that's because it's the same strategy used by Cryptolocker to extort money from PC users. We've been expecting this style of attack to make the jump to mobile for some time, and that grim day has arrived.

Get Behind Me, Simplelocker "Upon installation, this fake video player app searches for user files on the Android device's SD card such as images, documents, video, etc." explained F-Secure. The Trojan then encrypts these files using AES encryption. Next, the Trojan locks victims out of their phones and displays a ransom message in Cyrillic. So far, this Trojan has appeared most frequently in Russia and the Ukraine.

The app's message tells victims to wire the equivalent of $20 USD to the attackers using payment kiosks commonly found in Eastern Europe. The app further threatens to destroy the cryptographic keys unless the ransom is paid within 24 hours. As if that wasn't enough motivation, the app also informs victims that they are seeing this message because they were "caught" browsing illegal pornographic material—usually child pornography or bestiality films.

In their analysis of Simplelocker, Blue Coat Systems noticed that although the Trojan does encrypt victims' files, it might not be able to delete the encryption keys. "We don't see evidence that there's a way to carry out this part of the threat in the versions of this malware we've been scrutinizing, but that doesn't mean it can't happen in a future release."

There appears to be some variation between Simplelocker Trojans. F-Secure found different variants that demanded Ukrainian or Russian currency, and other ransomeware Trojans that used SMS or TOR to communicate with their command and control servers. Blue Coat also noted that Simplelocker comes in many guises, with names like DayWeekBar, VideoPlayer, VPlayer, and the oddly named "Sex xonix."

Kaspersky also detected a ransomware Trojan targeting similar areas that was also capable of encrypting files. They named their discovery Trojan-Ransom.AndroidOS.Pletor.a, but from reading their analysis it appears to be very similar to Simplelocker. Kaspersky notes that they have detected some 2,000 infections across 13 countries.

Whatever you call it, the attack vector for the ransomware appears to be the same. The attackers create fake porn sites that prompt visitors to download and install a special app to play videos. Instead of a video player, victims install the Trojan.

Targeting pornographic websites is fairly common in the world of malware. The thinking is that people engaged in potentially embarrassing activities will be less likely to report the attacks. Porn consumers may also be less discerning about Internet security since pornography continues to be something of a shady service. Attackers know this, and take advantage of it. Even the NSA had planned to use porn-shaming as a strategy.

Don't Pay Up! "While the malware does contain functionality to decrypt the files, we strongly recommend against paying up ," wrote ESET's Robert Lipovsky. "Not only because that will only motivate other malware authors to continue these kinds of filthy operations, but also because there is no guarantee that the crook will keep their part of the deal and actually decrypt them."

Instead of paying up, ESET recommended that Android users get in the habit of carefully backing up their devices. "Because when you have a backup, then any Filecoder trojan – be it on Android, Windows, or any operating system – is nothing more than a nuisance," wrote Lipovsky. Google does back up your apps and some settings, but the files targeted by ransomware usually aren't included.

My colleague Jill Duffy has great advice on how to back up all the important stuff on your Android device. Many Android security apps also offer backups as a premium feature, or you can look to apps like Flickr for free backups for specific types of files.

Kaspersky researchers were slightly more optimistic when writing about the Pletor.a Trojan. They agree that paying off the criminals is not the best option, but have found a weak spot in the Trojan. "All the versions of the Trojan that we have seen contain a key that can be used to decrypt affected files," writes Roman Unuchek. If you think you've been infected by Pletor.a, Kaspersky invites you to send your affected files to them via email at newvirus@kaspersky.com.

Stay Safe Because victims of ransomware attacks have few avenues available to them, it's better to avoid infection in the first place. As always, we advise readers to install and learn to use security apps on their Android device. Also, never install an app from outside the Google Play store.

Ransomware has been startlingly effective on PCs, and it's not surprising that it's made the jump to mobile. Unfortunately, this probably just the beginning. In their analysis of Simplelocker, ESET wrote "we are most likely dealing with a proof-of-concept or a work in progress." It's a sure bet that we'll see new variants, and more "finished" versions soon.

Max Eddy is a Software Analyst, taking a critical eye to Android apps and security services. He's also PCMag's foremost authority on weather stations and digital scrapbooking software. When not polishing his tinfoil hat or plumbing the depths of the Dark Web, he can be found working to discern the 100 Best Android Apps.
Prior to PCMag, Max wrote for the International Digital Times, The International Science Times, and The Mary Sue. He has also been known to write for Geek.com. You can follow him on...
More »